How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014 david@strom.com



Similar documents
Unified Security, ATP and more

Combating the Next Generation of Advanced Malware

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Cisco Advanced Malware Protection for Endpoints

Cisco Moves to the Next Generation with its ASA CX Firewall

Integrating MSS, SEP and NGFW to catch targeted APTs

Cisco Advanced Malware Protection for Endpoints

The Hillstone and Trend Micro Joint Solution

End-user Security Analytics Strengthens Protection with ArcSight

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Check Point: Sandblast Zero-Day protection

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

RSA Security Analytics

Integrating Single Sign-on Across the Cloud By David Strom

Comprehensive Advanced Threat Defense

The SIEM Evaluator s Guide

Zak Khan Director, Advanced Cyber Defence

Deep Discovery. Technical details

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

McAfee Network Security Platform

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

24/7 Visibility into Advanced Malware on Networks and Endpoints

Cisco & Big Data Security

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Data Center security trends

Is Your Network a Sitting Duck? 3 Secrets to Securing Your Information Systems. Presenter: Matt Harkrider. Founder, Alert Logic

Next Generation Firewalls and Sandboxing

End to End Security do Endpoint ao Datacenter

Getting Ahead of Malware

Protecting the Infrastructure: Symantec Web Gateway

Fighting Advanced Threats

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS. Junos WebApp Secure Junos Spotlight Secure

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Advanced Persistent Threats

Analyzing HTTP/HTTPS Traffic Logs

Covert Operations: Kill Chain Actions using Security Analytics

Redefining SIEM to Real Time Security Intelligence

Breaking the Cyber Attack Lifecycle

First Look Trend Micro Deep Discovery Inspector

Cisco Advanced Malware Protection Sandboxing Capabilities

Next Generation IPS and Reputation Services

Security Analytics for Smart Grid

Data Center Connector for vsphere 3.0.0

SourceFireNext-Generation IPS

5 Steps to Advanced Threat Protection

Combating a new generation of cybercriminal with in-depth security monitoring

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

WildFire. Preparing for Modern Network Attacks

Protection Against Advanced Persistent Threats

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

DYNAMIC DNS: DATA EXFILTRATION

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

LASTLINE WHITEPAPER. The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic

Advanced Persistent Threats

IBM Security IBM Corporation IBM Corporation

Critical Security Controls

IBM Endpoint Manager Product Introduction and Overview

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Protecting the un-protectable Addressing Virtualisation Security Challenges

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Securing the Small Business Network. Keeping up with the changing threat landscape

Cloud Based Secure Web Gateway

Symantec Advanced Threat Protection: Network

Chapter 9 Firewalls and Intrusion Prevention Systems

Advanced Threat Protection with Dell SecureWorks Security Services

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

You ll learn about our roadmap across the Symantec and gateway security offerings.

Cisco RSA Announcement Update

Cisco Advanced Malware Protection

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Symantec Endpoint Protection Datasheet

Content Security: Protect Your Network with Five Must-Haves

Advanced Threats: The New World Order

Concierge SIEM Reporting Overview

What s Next for Network Security - Visibility is king! Gøran Tømte March 2013

Networking for Caribbean Development

Information Security for the Rest of Us

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

On and off premises technologies Which is best for you?

Secure Cloud-Ready Data Centers Juniper Networks

RSA Security Anatomy of an Attack Lessons learned

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

UNCLASSIFIED. General Enquiries. Incidents Incidents

Leading by Innovation McAfee Endpoint Security The Future of Malware-Detection: Activate protection on all Layers outside the Operating System

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Transcription:

How Lastline Has Better Breach Detection Capabilities By David Strom December 2014 david@strom.com

The Internet is a nasty place, and getting nastier. Current breach detection products using traditional anti- malware sandbox technologies can t keep up with advanced persistent and hyper- evasive threats that pummel enterprise networks on an hourly basis. Malware authors encode their exploits with a number of operational vectors, so in case one entry point doesn t work they can still find a way into your network to do their dirty work. And as more businesses hire more outsourced consultants, part- time workers, and employ mobile devices, they open up additional mechanisms for malware to enter their corporate networks. Some traditional AV and endpoint protection vendors have responded to these threats by adding features to their security products to do a better job of anticipating badly behaving packets coming through their detectors. They make use of limited virtual machines or operating system emulators to view how a piece of malware operates. That is great, but it isn t enough. Many malware authors can detect when these simulated environments are active and can evade detection accordingly. For example, some exploits such as W32.DelfInj can literally go to sleep for several days to avoid any detector that will just scan an infected system for the first several minutes. Here is a summary of the behavior of the Zeus Trojan, showing all the various evasive methods it takes to try to stay one step ahead of the detectors. Fig. 1. How many different evasive techniques the Zeus Trojan uses.

This is the biggest fear that many security professionals have: that their tools might miss some advanced threat. All it takes for some of these exploits to happen is for a single to make its way through a next- generation firewall or APT security appliance (using a virtual or emulation sandbox that offers limited visibility) to someone s hard drive. For example, many fake AV malware exploits operate by sending a DNS request to a special command and control server that kicks off their infections to an endpoint device. What is needed is a next- generation sandbox that can completely mimic a full- system (OS, CPU, peripherals) and glean intelligence from what happens when a particular piece of malware does its dirty business. This means being able to step through the execution code of a piece of malware and see exactly what it is doing to a host system: what system calls it makes, what registry resources it corrupts, what files and registry keys were modified and what payloads and pieces of remote control software it leaves behind. And which protective measures it avoids through various obfuscating measures. Some of the traditional end- point and network vendors are beginning to add a sandboxing feature as part of their detection tools, but lack sufficient comprehensiveness, scale and detection response time. What is also needed is a way to correlate a series of particular breach events with the actual attack chain onset related to a malware infection, so that enterprises can remove these villains and quickly remediate their networks. Today s modern malware uses a combination of email, Web attacks, DNS redirects and mobile apps to work their way into a network. Any product should make use of both network traffic patterns and detect particular code objects from the network being delivered to endpoints. With the right kind of incident correlation, a security professional can examine what happened, where it happened, and the events that occurred before and after the actual infection. Part of this analysis is to also add IP and object based reputation analysis to the mix, looking at known advanced threats associated with command and control servers and evasive malware. And what is needed is to do this in near real- time, so that a potential exploit can be nipped in the bud, before it has a chance to spread across more endpoints and infect more machines. As the number of zero- day attacks and custom- created viruses continues to increase, the warning times get shorter. A number of security tools are now available that use distributed sensors to aid in their real- time warning systems. So while there are tools that use these four criteria, few have combined them in the way that the Lastline Breach Detection Platform does. We tested it on a sample network that had been seeded with a series of malware infections. While no test bed can totally simulate the real world, we were impressed with the level of detail and its ease of use and the way it combined sandboxing, event correlation, IP/object reputation and real- time analysis. How does it work and how does it measure up to the above items?

Their core idea is to run a piece of suspected malware in such a way as to provide the ultimate examination of its operations. Suspected code is extracted from the network traffic flow, analyzed and correlated with other network- level events to provide a full picture of what happened. It has one of the most throughout analysis sandbox engines. But what is more important is how they are able to provide actionable intelligence to a wide variety of leading security vendors intrusion prevention and unified threat management platforms from WatchGuard, Barracuda, TippingPoint, Juniper, Tripwire and others. Through a combination of application programming interfaces, Lastline can send and receive firewall blocking rules and breach event data to/from the appropriate systems that you have already purchased, so that these threats can be quickly stopped. Lastline has four major components: Network sensors. This is software that can be installed on standard servers or VMs that continuously monitor network traffic through switch span ports to collect suspicious behavior. Lots of security tools do this already, and certainly this is the cornerstone of any modern security tool. What makes Lastline more interesting is that it combines IP and domain reputation analysis with malware fingerprinting techniques. With its 6.0 release the Lastline breach detection platform now includes unlimited 10 Gbps sensor interfaces, too. Advanced sandbox screening tool. Suspicious objects that are suspected to be zero- day threats are collected from the sensors and analyzed with the Lastline next- generation sandbox, which emulates a complete endpoint system (OS, memory, and peripherals). Other sandboxing tools leave small in- guest code stubs that can reveal they aren t real endpoints; Lastline doesn t have these clues for malware to key into and looks just like regular computers. In addition to running the code, this tool also records the specific attack chain behaviors of the malware code and documents what harm it is actually doing to the system, including delivery, detailed exploit characteristics, malware installation and command and control communication. Reporting and threat analysis tool. Low- level event data is then collected and correlated into a particular security incident, which then updates an online threat database. You can examine the captured network traffic and malware behaviors, see the results of the analysis, and look at why this was suspicious or threatening with low false positive/negative noise. Information is displayed on a highly graphical and easily parsed Web- based portal for action by security administrators. For example, just by clicking on a few different menu items, we can see how often the same infection was downloaded by a particular endpoint, or why a particular event led to other activities across our network, or how a piece of malware was attached to a series of different email messages. Rich threat intelligence of advanced threats. Known exploits and IP based systems associated with advanced malware are highly dynamic and

traditional signature- based knowledge bases are ill equipped to keep up. Lastline threat intelligence draws on its global collection of next- generation sandboxes. To add flexibility to its system, both the next- generation sandbox and reporting tool can be either hosted or installed on- premises. Here is an example screenshot of the reporting tool, showing a summary of incidents, the top 10 malware infections observed, and a listing of each event that you can drill down for further analysis. Fig 2. A typical dashboard from Lastline s platform, showing particular incidents and infections. Summary Other security tools have some but not all of the components that are found in the Lastline Breach Detection Platform. What makes them unique is their range of discovery, the way they can effectively mimic actual PC or smartphone endpoints to examine malware behavior, and how they can scale up to handle very large networks with their modular and SaaS- based tools. The Lastline platform offers a predictable annual subscription model starting at $40/user/year, offering enterprises the ability to monitor unlimited number protocols and locations as well as analyze 10Mb to 10G networks without incurring any additional fees. About David Strom David Strom (@dstrom, strominator.com) is one of the leading experts on network and Internet technologies and has written and spoken extensively on

topics such as VOIP, convergence, email, cloud computing, network security, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties in the enthusiast, gaming, IT, network, channel, and electronics industries, including the editor- in- chief of Network Computing print, DigitalLanding.com, and Tom's Hardware.com. He began his career working in varying roles in end- user computing in the IT industry. He has a Masters of Science, Operations Research degree from Stanford University, and a BS from Union College.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information